CVE-2026-41576 HIGH

CVE-2026-41576: Ajax30/BraveCMS-2.0: Stored HTML Injection in Contact Email via nl2br() and Unescaped Blade Template

Vendor Ajax30
Product BraveCMS-2.0
Weakness CWE-79 · XSS
Published May 8, 2026
Last update May 13, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Brave CMS is an open-source CMS. Prior to commit 6c56603, the contact form is publicly accessible (no authentication required). User-supplied message text is passed through PHP's nl2br() function, which converts newlines to <br> tags but does not escape HTML. The resulting string is then passed to a Blade email template using the unescaped {!! $msg !!} directive. The resulting content is then rendered in a Blade email template using the unescaped {!! $msg !!} directive. Because HTML is not sanitized, arbitrary markup can be injected into the email body. While modern HTML-capable email clients (Gmail or Outlook Web) typically block JavaScript execution, they still render HTML content. This allows attackers to craft convincing phishing interfaces inside the email sent to the administrator. This issue has been patched via commit 6c56603.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 13, 2026 Record updated